When you tell people you’re writing a piece on cybersecurity insurance, they tend to make the cock-headed, scrunched-eyebrow expression of a confused puppy. Even when you interview cyber insurance professionals, they preemptively apologize for boring you.
The truth is, cyber liability insurance–like any other kind of insurance–is pretty boring, right up until the point that the people who need it can’t get it. Then it becomes not only interesting, but vital. And that’s the point we’re approaching now.
In the past three years, the cost of cyber liability premiums hasn’t so much skyrocketed as it has teleported. In 2021, the cost of cyber insurance increased 25.5% year-over-year, making it the fastest growing premiums of all lines of insurance. 2022 was even worse, with rates doubling in the first quarter and increasing a further 79% in Q2. (A note on data: sources differ in the exact percentages of price increases depending on whether they’re studying U.S. or global markets, or new versus renewed policies, but they all tell the same basic story.)
These massive price jumps have stabilized somewhat in 2023, but that only means that prices are rising more slowly. We’re feeling the crunch as well; here at Kolide, we’re paying 40% more for our policy in 2023 than we did in 2021.
If you’re looking at your own cyber insurance policy and scratching your head (or pulling out your hair), you likely have three questions:
- Why has the cost of cybersecurity insurance increased so dramatically?
- Do I need cyber insurance or can I go without it?
- What can I do to reduce my cyber liability premiums?
Let’s try and answer all three.
There’s a simple and a complicated answer to this question.
You could probably figure out the simple answer on your own: cyber insurance costs more because of the huge rise in data breaches and hacks in the post-COVID world. When the pandemic hit and employees started working remotely en masse, it created a cybersecurity crisis. Workers accessed sensitive data on their personal, unmanaged devices and outside the protection of the company VPN, and bad actors seized on the chance to launch a campaign of phishing, ransomware, and other attacks that targeted vulnerable employees on vulnerable devices.
All these breaches created a tidal wave of insurance claims that threatened the profitability of the entire field. The Information reported that “collectively, insurers’ payouts to customers nearly exceeded the amount they collect via premiums.” In response, insurers not only jacked up prices, they instituted much tougher underwriting requirements (more on that later), and trimmed what their policies would cover.
The more complicated answer is that companies themselves helped create this crisis by investing more in insurance than they did in actual security. As far back as 2017, AT&T named “overreliance on cyber insurance” as one of its three chief cybersecurity concerns. According to their report: “Nearly 3 in 10 survey respondents (28%) plan to allocate all or most of their cybersecurity budget to insurance in anticipation of future incidents. ”
That’s not to say that every company is to blame for its own misfortunes, but in insurance, a few irresponsible actors and careless underwriters can drive premiums up for everyone.
Finally, some of these premium increases are probably just normal price corrections, since the concept of cyber insurance is still quite new (some date the first policy to 1997.) “When cyber liability insurance entered the marketplace, it was kind of an unknown,” says Andrew Bucci, VP of Sales at Amplified Insurance Partners. “It was a new product and I don’t think the underwriters really knew how to price it.”
The question everyone asks when insurance gets too expensive is: can I go without it? Unfortunately, if you digitally store sensitive customer data and/or payment information (so if you run anything more complicated than a lemonade stand) then you probably need a policy.
We’re not here to sell you cyber insurance, and plenty of small businesses still go without it, but hackers are increasingly targeting SMBs, so you can’t automatically assume you’re too small to be a target.
These days, a data breach costs businesses an average of $4.45 million, which could put a small company out of business if they lacked insurance. And beyond a simple payout, cyber insurance providers often help companies hire forensic experts to recover data, negotiate with ransomware attackers, and inform customers of a breach.
Still, you can tailor your coverage to your budget and risk level. Standalone policies typically provide more coverage and assistance in the aftermath of a breach, but if you’re not in a particularly vulnerable industry (such as healthcare), you can likely buy insurance as part of a larger business policy. This is common even in large organizations. According to Forrester’s report, The State of Cyber Insurance, 2023, 84% of enterprise decision-makers have cyber insurance, but only 26% report having a standalone cyber insurance policy.
Despite the growing need for coverage, the rising costs of insurance are beginning to squeeze out companies at the high and low ends of the market. According to The Information, some major enterprises with expensive policies are exploring alternative forms of insurance. “In some cases, companies set up a captive insurer, an arrangement in which a company uses its capital to create an insurer whose only customer is the company.”
Small businesses, on the other hand, don’t have such exotic options for going without traditional cyber insurance. Bucci acknowledges the tough position businesses are in when insurance becomes truly unaffordable: “It’s going to come to a point where some people may have to self-insure, which means that they don’t take a cyber policy out and they just cross their fingers they don’t have some sort of breach.”
Cyber insurance costs depend on several variables, so it’s tough to come up with an “average cost.” But there are a few factors that can drive the cost of a policy up or down.
Certain industries are subject to higher premiums because they are more susceptible to threats. Hospitals, for example, are a major target of ransomware attacks because they store sensitive patient data and will often choose to pay ransoms rather than risk their patients’ lives by going offline.
“Healthcare businesses see substantial premiums. Because if they get hacked and one HIPAA-protected record gets into the wrong hands, that’s going to be detrimental,” Bucci explains. “So you need a standalone cyber policy that’s going to include coverage for social engineering and ransomware.”
On top of that, if you file a claim, “You’re going to need an experienced resource to come in and do forensics. And you will also need a policy that’s going to pay to alert the individuals whose records have been breached, which typically costs $150 to $200 per notification.”
Some industries are considered so vulnerable that carriers may refuse to cover them at all. Dan Garcia-Diaz, managing director of the U.S. Government Accounting Office (GAO), told CNBC that “one insurer reported that it opted not to insure the energy sector because of its vulnerability to attacks and because of concerns that energy operators do not follow robust cyber security protocols.”
Your revenue plays a key role in how much you end up paying for your premium because insurance providers use revenue for the rating basis. If the provider’s rate is $15 per $1000 in revenue, and your projected revenue is $900K, then your premium will be $13.5K.
“When you have $500K in revenue, you can get a $1 million or $2 million policy for much cheaper versus when you have $5 million in revenue,” explains Joe Morrison of Collard Advisory Group.
Unsurprisingly, insurance carriers tend to charge more if you’ve been breached in the past. But the correlation isn’t necessarily as strong as you might think, depending on how your company responded to the breach.
Says Bucci: “It’s always going to be a question on your application, but it’s not the end-all, be-all. Maybe you were breached but the claim was never paid out because you got the breach under control. What it’s really going to come down to is what protections you have in place to keep a breach from happening again.”
That brings us to the next factor.
The evaluation of your security system and protocols is a critical step in the underwriting process.
Typically, the insurance provider will require you to fill out a lengthy questionnaire that asks security-related questions. For example, you might need to provide information on your backup and recovery procedures.
Most of the questions will be familiar to anyone who has gone through SOC 2 certification.
Here’s a (non-exhaustive) sampler from a questionnaire we reviewed:
- Do you have third party software to protect your network such as antivirus and firewalls?
- Do you have an incident response plan in the event of a breach?
- Do you conduct an annual review and test of all your system backup and recovery procedures?
- Do you store health information?
- Do you store payment information?
- Do you use any software or hardware past its end of life date?
- Do you implement all required software updates for known vulnerabilities?
When going through the cybersecurity assessment, it’s important to be honest, or you risk shooting yourself in the foot later on. “Let’s say that a company states it has a security measure in place and then a claim happens. When the insurance provider comes to investigate, and if the company said it had multifactor authentication but didn’t, the insurer can deny the claim,” says Bucci.
Also, it’s important to recognize the limits of your policy. Fortinet explains that cyber insurance policies “often exclude issues that were preventable or caused by human error or negligence.” They name poor security, insider attacks, and breaches arising from previously known vulnerabilities as examples of issues that can get your claim denied.
It’s easy to feel helpless in the face of rising insurance costs, but there are ways to negotiate for a better rate.
If you’re shopping for a new cyber liability insurance policy or renewing an existing one, the following tips can help you pay less.
The insurance marketplace changes, so if you’ve been renewing your policy with the same company and their prices keep increasing, your broker can help you re-negotiate a more favorable rate. Bucci recommends brokers shop rates out every three years to multiple companies, which will help you pay less for similar coverage.
Improving your company’s security is the best way to ensure that coverage remains accessible and affordable for everyone, and that your claim is actually approved in the event of a breach.
According to Bucci, some insurance providers now require customers to have multifactor authentication (MFA) to protect against phishing and other credential-based attacks.
The cyber insurance company Coalition recommends creating backups of critical data that you can use to avoid paying the ransom in a ransomware attack. Likewise, they advise keeping up-to-date on patching of both servers and employee devices, to protect against known vulnerabilities.
Investing in security for your insurance provider is time-consuming and expensive, but it may actually protect you from a breach. According to Forrester, companies with standalone cyber insurance policies were the least likely to report a breach in the last 12 months. Granted, this is a small dataset, but it speaks to the larger value of taking security seriously.
At Kolide, we’re a security company, not an insurance company, so we can only talk about rising premiums as observers (and customers). But we have observed that insurance costs seem to be one of the factors driving interest in our product and in security more broadly. The same circumstances that drove up cyber attacks and insurance premiums are also driving interest in Zero Trust security, and in our subset of it: device trust.
Kolide reduces the likelihood of a breach by ensuring that only secure devices access company resources. And since nearly half of companies still allow unmanaged devices to access their apps, we have a rather large hole to fill.
If you’d like to learn more about our solution, watch our on-demand demo.